XPath Injection in

XML Databases

Xpath-Injection ?

XML Path or XPath is a language used for querying information from the nodes of an XML document.

XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.

Impact of Xpath-Injection

An unauthenticated attacker may extract a complete XML document using XPath querying. This may compromise the integrity of your database and expose sensitive information.

Example of XML Document

Lets us take an example of an XML document called employees.xml and see how an XPath function can be used to retrieve information:

<?xml version="1.0" encoding="ISO-8859-1"?> <employees> <employee id=”1”> <loginID>Mike</loginID> <accountno>11123</accountno> <passwd>test123</passwd> <salary>468100</salary> </employee> <employee id=”2”> <loginID>john</loginID> <accountno>63458</accountno> <passwd>myownpass</passwd> <salary>559833</salary> </employee> </employees>

Xpath Expression

The function selectNodes takes as parameter the path-expression which will extract the value in the passwd node under the employee node from the employees.xml document.

The path expression for the passwd in this case is /employees/employee/passwd

Set xmlDoc=CreateObject("Microsoft.XMLDOM")

xmlDoc.async="false"

xmlDoc.load("employees.xml")xmlobject.selectNodes("/employees/employee/passwd/text()")

 

Xpath Expression….

The result of the above query will be

test123

When an application has to retrieve some information from the XML based on user input, it fires an XPath query which gets executed at the server.

xmlobject.selectNodes("/employees/employee/passwd/text()")

XPath Injection

Attack Technique

Bypassing Authentication ( In Username Field)

Bypassing Authentication… ( In Username Field)

Bypassing Authentication… ( In Password Field)